Just-In-Time Settings

The following tables list the settings used when the User Provisioning option is set to Just-in-Time.

User Provisioning

Setting

Description/Values

Default User Groups

If the identity provider does not provide one or more groups for a user, the user will be assigned the groups defined here.

Tip

When you first configure HMP for JIT user provisioning, you must create a user group before being able to assign a default user group. For instructions on creating groups, see the JIT tab at Managing Groups (LDAP/AD/JIT Only).
See the Group Membership field in the User Attribute Mapping section to define the attribute name used by the identity provider that provides the group information.

Just-in-Time

Setting	Description/Values
SAML SSO URL	For SP-initiated SSO, specify the URL on the IDP server to redirect to for authentication. For IDP-initiated SSO, leave this field blank.
Audience URI	Service Provider Entity ID
Unique Identifier	Provide the SAML attribute name used by the indentity provider that defines each user's unique ID. Note This value must be `nameID`.
IDP Public Certificate	HMP uses the IDP certificate to verify that any tokens that it receives after a successful sign-in have not been tampered with.
SP Sign Request	Toggle to specify whether HMP signs its SAML authentication request before sending it to the IDP.
SP Signature Algorithm	(SP Sign Request enabled) Defines the cryptographic algorithm used by HMP to sign authentication requests and SAML messages: SHA256 or SHA512.
SP SAML Signing Certificate	(SP Sign Request enabled) The public certificate that the HMP uses to sign SAML requests and responses. Download this certificate and supply it to your Identity Provider (IDP) so that it can validate that the HMP’s signed messages are legitimate.

User Attribute Mapping

Note

For best results, provide as many fields as possible. If First and/or Last Name is not provided, the Short Name is used to identify the user throughout HMP (welcome message, users list, username in watermarks, logs, etc.). If the Short Name is not provided, the Unique Identifier is used to identify the user throughout HMP.

Setting	Description/Values
First Name	Provide the SAML attribute names used by the indentity provider to populate the first name, last name, and email into each user's account.
Last Name
Email
Short Name	Provide the SAML attribute name to uniquely identify the user throughout HMP when First/Last Name is not provided or not displayed due to space limitations. This attribute should be specified if the Unique Identifier is not human-readable and/or not user-friendly (such as a UUID).
Group Membership	Provide the SAML attribute name that contains the list of groups assigned to the user. When this field is specified, group membership is inherited from the IDP and read-only in HMP. When this field is blank, group membership is not inherited from the IDP and the local HMP administrator is able to assign groups to each user.